Processing password policy codes in pass-through authentication

You can configure IBM® Security Directory Server to process the password policy failure reason codes from pass-through directories and send normalized error codes to the client applications. Use this feature so that the client application can identify the reason for the failure and take the required action to resolve the error.

About this task

Processing of password policy codes is supported only when Active Directory or IBM Security Directory Server is the pass-through authentication server. Errors from any other directories are not processed.

If you do not configure password policy processing or if you are using any directories that are not supported for pass-through authentication password policy code processing, IBM Security Directory Server returns the generic LDAP error code LDAP_INVALID_CREDENTIALS to the client. It does not show the exact reason for failure for client applications to take further actions. For example, if the resolution for the error requires that the password be reset, client applications can redirect the user to a password reset page. Such actions cannot be taken unless IBM Security Directory Server processes the reason code from the pass-through directory.

1. Add the ibm-slapdPtaDirType attribute in the pass-through server configuration as shown in the following examples.

   Example 1:

   dn: cn=Passthrough Server1, cn=Passthrough Authentication, cn=Configuration
   cn: Passthrough Server1
   ibm-slapdPtaDirType: ActiveDirectory
   ibm-slapdPtaAttrMapping: cn $ uid
   ibm-slapdPtaBindDN: valid_DN
   ibm-slapdPtabindPW: DN_password
   ibm-slapdPtaSearchBase: Search base in PTA server
   ibm-slapdPtaSubtree: Local subtree
   ibm-slapdPtaURL: ldap://host:389
   objectclass: top
   objectclass: ibm-slapdConfigEntry
   objectclass: ibm-slapdPta
   objectclass: ibm-slapdPtaExt

   Example 2:

   dn: cn=Passthrough Server2, cn=Passthrough Authentication, cn=Configuration
   cn: Passthrough Server2
   ibm-slapdPtaDirType: SecurityDirectoryServer
   ibm-slapdPtaSubtree: Local subtree
   ibm-slapdPtaURL: ldap://host:1389
   objectclass: top
   objectclass: ibm-slapdConfigEntry
   objectclass: ibm-slapdPta

2. Restart IBM Security Directory Server.

Results

Based on the type of directory that you specify, IBM Security Directory Server parses and processes the login error response from the pass-through directory. It then maps the failure reason codes to the appropriate control error codes of IBM Security Directory Server, as shown in the following table.

Table 1. Mapping between Active Directory data codes and IBM Security Directory Server control error codes

Active Directory data codes	IBM Security Directory Server control error codes
525 (User not found)	None (Only LDAP error will be sent, no response control)
52e (Invalid credentials)	None (Only LDAP error will be sent, no response control)
530 (Not permitted to logon at this time)	13 (LDAP_NOT_PERMITTED – new error code)
531 (Not permitted to logon at this workstation)	13 (LDAP_NOT_PERMITTED – new error code)
532 (Password expired)	3 (LDAP_PASSWORD_EXPIRED) – Error, Password has expired
533 (Account disabled)	4 (LDAP_ACCOUNT_LOCKED) – Error, Account is locked
534 (The user has not been granted the requested logon type at this machine)	4 (LDAP_ACCOUNT_LOCKED) – Error, Account is locked
701 (Account expired)	14 (LDAP_ACCOUNT_EXPIRED – new error code)
773 (User must reset password)	5 (LDAP_CHANGE_AFTER_RESET) – Error, Password must be changed after reset
775 (User account locked)	4 (LDAP_ACCOUNT_LOCKED) – Error, Account is locked